A New Approach to Multimedia Files Carving

摘要

Traditional file recovery methods rely on file system information, which are ineffective when file system information isn't available. File carving is a file recovery method that recovers files according to their structure and content without file system information, which is widely used in digital forensics. As the important carriers of digital information, multimedia files are important digital evidence. In this paper, a new multimedia file carving approach is proposed to improve the recovery accuracy of high entropy file fragments. The fragmented files can be recovered by a hierarchical carving process, including file header identification via entropy, file fragment type classification, and file reassembly via parallel unique path approach. A new file type classification method is constructed based on support vector machine, by using the features of BFD (byte frequency distribution) and ROC (rate of change). Four different datasets, such as DFRWS 2006/2007 challenge datasets, dataset simulating actual disk, dataset with randomly disordered fragments, and dataset with biomedical images, are employed in our experiments. The results show that JPEG recovery accuracy is improved greatly compared with that of Photo Rec tool. Our method performs best in the situation where the order of fragments is completely confusing.